Prevx Blog
BSOD after MS10-015? TDL3 authors "apologize"
Posted by: Marco Giuliani
On last November we've blogged about a new rootkit spreading around the net. That rootkit, called TDL3 or TDSS or Tidserv (there are many different names for the same malware, as often happens between various security companies) was pretty scaring because of the new way it compromised the system, by using both improved and new tricks.
After a couple months, we're here to raise again the alarm against this threat, which has been improved by their creators.
Fact is that the team of coders behind this rootkit is working hard to improve its creature. During these months they never stopped to update it, by releasing every day - sometimes even more times a day - new updated and rebuilt droppers able to evade generic detection signatures.
All TDL3 droppers have been server-side rebuilt every day during November, December, January and February. This allowed the authors to break weak signatures or badly written generic detection routines. Actually this was the only effective obstacle, otherwise only really few specific anti-rootkits are able to detect the infection when active.
Even the rootkit itself has been updated and armored, to defense itself against the attack of a number of anti-rootkit specific tools. It's funny following the full story of the rootkit, because it looks like a nice chess game between security vendors and malware authors. It's one of the few times you can see a team of rootkit writers counteracting almost in real time to security vendors.
We already knew the rootkit is able to infect a system driver and to filter every disk I/O request by applying a strong filtering mechanism. Now the rootkit added a watchdog thread able to prevent any change to the service registry key related to the infected driver.By doing so, it is able to block some basic cleanup tools.
Another self defense feature added to the rootkit is that no one is anymore able to get a handle to the infected driver file. By doing so, the rootkit is preventing some cleanup tools to read the content of the file. Prior versions of the rootkit allowed to read the infected file, though they were showing the clean copy of it. This trick was used by some security tools to recover the original clean copy of the file to restore.
We have some doubts about the real usefulness of this self defense feature. If it's true that it's not anymore possible to get the original file content, it's even true that now is easier to discover the infected driver, because every scanner will get no access at all to the file and this anomaly will be reported.
On last Tuesday Microsoft released a number of Windows updates, some of them critical because they fixed a 17 years old bug. After some users updated their Windows operating systems, they got a scaring and really annoying blue screen of death.
Most of those users were angry with Microsoft, but the problem this time is not related to Microsoft. Indeed a number of the users affected by this BSOD was infected by TDL3/TDSS rootkit.
More exactly, TDL3 rootkit looks incompatible with MS10-015 update. This is the cause of the BSOD. Problem resides in the lazyness of rootkit writers when writing the driver infection routine.
When the rootkit dropper is run, the infection calculates the RVA offsets of some Windows kernel APIs and hard code them so that at every restart the portion of the rootkit loader injected inside the infected driver can use these offsets to immediately calculate the address of the wanted functions.
This worked well until the MS10-015 update, when Microsoft updated Windows NT kernel. This update changed those offset values and consequently broke the rootkit code. When the update procedure is finished, system is restarted. At system restart, the rootkit code tries to call a non-valid address and this causes the BSOD.
Good news is that TDL3 authors care about us and they released in a couple hours a new updated version of the rootkit compatible with the Microsoft patch.
Sadly the number of users affected by this BSOD is quite high and this means the rootkit infection is quickly spreading.
Moreover, a parallel version of the TDL3 rootkit is spreading too. This one is using an old infection technique, already seen in one of the first versions of TDL3. The injected dll is not anymore called tdlcmd.dll but instead z00clicker.dll.
International law police should really consider about cooperating with security vendors and try to shut down this botnet network by tracking down the gang behind it. They are active, they are able to release updates every day. They already are a serious threat that should be defeated as soon as possible.
If during a scan Prevx reports an infection caused by tdlcmd.dll or z00clicker.dll, please contact Prevx technical support. Our technicians will help our customers to get rid off of the TDL3 infection.
15 comments so far
- KG on Feb 16 12:02, 2010
- S on Feb 17 17:50, 2010
- Tritech on Feb 17 18:35, 2010
- ET on Feb 17 19:03, 2010
- Gypsy on Feb 17 21:32, 2010
- GFC on Feb 18 2:45, 2010
- phil on Feb 18 22:05, 2010
- BIOS and PCI rootkits are becoming a problem on Feb 19 5:16, 2010
- jungletek on Feb 19 9:44, 2010
- Brad on Feb 19 14:13, 2010
- Smith on Feb 19 22:50, 2010
- Pam on Feb 20 18:04, 2010
- mcb on Feb 21 3:33, 2010
- Subhro Bhandari on Mar 1 14:15, 2010
Hello thanks for keeping us updated on this event, i think it happen to me as well, on the BSOD thingy, and I did a restore and setup back for the updates, and do my updates manually.. instead of automatic.. as it was setup prior. thanks again for this information. I'll be watching and reading more. :)
"Good news is that TDL3 authors care about us and they released in a couple hours a new updated version of the rootkit compatible with the Microsoft patch."
If the rootkit authors really cared about us, they'd get their patch integrated into Windows Update so those machines needing both MS10-015 and the rootkit patch can get both at once. ;-)
Wow...there are people still trying to remove infections using the infected system. That's pretty funny, actually, and this article shows *exactly* why: it's an absolute total waste of time. In fact, the TDSS/UAC rootkit is one of the inspiring nasties behind me creating the Tritech Service System, which we just started releasing to the Open Source Software community a couple of days ago (minus some of our custom stuff). If you're willing to become Linux-savvy, it's a perfect tool for scratching out rootkits. Download it, burn it, and try it out at c02ware dot com.
"If the rootkit authors really cared about us, they'd get their patch integrated into Windows Update so those machines needing both MS10-015 and the rootkit patch can get both at once. ;-)"
You mean to say microsoft hasn't agreed to including it in these past years? Why else would Vista be so bad... lol
Where do I DL the Rootkit Patch?
"You mean to say microsoft hasn't agreed to including it in these past years? Why else would Vista be so bad... lol"
Sorry to burst your bubble, but this BSOD is and XP problem.
@ GFC
lol No, it's not. I've had 3 customers that had it on XP
Despite the millions of dollars individuals and organizations cough up to commercial antimalware companies, these rootkits continue. Are there backroom deals goings on? Why did it take so long following the Sony BMG rootkit for commercial antimalware providers to "detect" the Sony BMG rootkit? How many rootkits, new or old, continue to dodge the commercial antimalware providers? This should be criminal!
A critical issue are rootkits nesting inside hardware flashable vectors. The OS itself could and should block flashing to the BIOS and other flashable media. How is Joe Public to audit his Nvidia card or the flashy new sound card he purchased for a rootkit? Rootkits are using these vectors for attack and a blue screen popping up with an update should be egg on Microsoft's face. Instead, the issue is blamed on the rootkit.
The public should hold Microsoft and commercial antimalware providers responsible for a lack of protection, detection and disinfection. BIOS and PCI rootkits are becoming more and more of a hassle and unless the user downloads a tool like "gmer", which detects
but does not clean, the users will remain lost until updates such as this awaken many
of them to the reality of the rootkits. Sadly, many will not wake up even then, instead
going about their usual wipe and reinstall process, or taking it as a mystical sign from
the vendor they need to buy a new version of Windows instead.
Google "bluepill rootkit" and "PCI rootkit .pdf" to start learning.
@phil
lern 2 read, lulz
On topic: I'm still barely even a noob coder, but even I know that hardcoding offsets and adresses like that will surely be broken by an update eventually
Good read, thanks
TDL3 authors "apologize" ... or Microsoft to apologize.
TDL3 Rootkit also known as Alureon should have been removed by Microsoft Windows Malicious Software Removal Tool according to its specification given on the official website. It is one of the first updates to a new Windows installation and is updated, runs and performs regular scans in the background.
HELP!!
My system is doing a rolling reboot, due to the Alureon Rootkit malaware that was installed on my last windows update.. I cannot even get my computer up and running through safe mode nor a bootable windows cd. I have been able to get into the microsoft windows recovery console; however, it did not seem to work as I am still unable to reboot... Any help would be greatly appreciated to get my computer up and running again. My daughter has a major project that is on the computer that she needs :-(,.,....I am sooooooooo close to going to Lenox OS...
Thanks,
Pam
"lol No, it's not. I've had 3 customers that had it on XP"
@phil
I believe phil meant Vista at the end.
Thanks for the article as always.
Thanks for the update Marco and a good read!